From 09dc0cb76c4deeaec90a2f6428f2cf79c29dbc40 Mon Sep 17 00:00:00 2001 From: Alexey <247128645+axkurcom@users.noreply.github.com> Date: Thu, 11 Jun 2026 19:44:39 +0300 Subject: [PATCH] Update handshake_security_tests.rs Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com> --- src/proxy/tests/handshake_security_tests.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/proxy/tests/handshake_security_tests.rs b/src/proxy/tests/handshake_security_tests.rs index 980075c..3b9eff7 100644 --- a/src/proxy/tests/handshake_security_tests.rs +++ b/src/proxy/tests/handshake_security_tests.rs @@ -10,11 +10,14 @@ use std::time::{Duration, Instant}; use tokio::sync::Barrier; fn make_valid_tls_handshake(secret: &[u8], timestamp: u32) -> Vec { + make_valid_tls_handshake_with_fill(secret, timestamp, 0x42) +} + +fn make_valid_tls_handshake_with_fill(secret: &[u8], timestamp: u32, fill: u8) -> Vec { const TLS_AES_128_GCM_SHA256: [u8; 2] = [0x13, 0x01]; const TLS_EXTENSION_KEY_SHARE: u16 = 0x0033; const X25519_KEY_SHARE_LEN: usize = 32; let session_id_len: usize = 32; - let fill = 0x42u8; let mut extensions = Vec::new(); let mut key_share = Vec::new(); @@ -650,12 +653,17 @@ async fn adversarial_tls_replay_churn_allows_only_unique_digests() { })); } - // 128 unique timestamps: all should pass because HMAC digest differs. + // 128 unique ClientHello bodies: all should pass because replay tracks the + // first digest half, while timestamp skew is encoded in the last bytes. for i in 0..128u16 { let config = Arc::clone(&config); let replay_checker = Arc::clone(&replay_checker); let rng = Arc::clone(&rng); - let handshake = make_valid_tls_handshake(&secret, 10_000 + i as u32); + let handshake = make_valid_tls_handshake_with_fill( + &secret, + 10_000 + i as u32, + (i as u8).wrapping_add(0x80), + ); tasks.push(tokio::spawn(async move { let peer = SocketAddr::new( IpAddr::V4(Ipv4Addr::new(198, 18, 0, ((i % 250) + 1) as u8)),